The rise of cybercrime is the biggest challenge facing legal firms today. The problem is at its core very simple: as revealed by an American Bar Association’s (ABA) Legal Technology Survey, about half of firms said they had no response plan in place to address a cybersecurity breach.
A variety of reports have predicted that the costs associated with a cyberattack could rise up to $6 trillion globally by 2021. This number would represent the fourth highest Gross Domestic Product (GDP) in the world, if the cost of cybercrime were a nation.
Effectively measuring the cost of cybercrime has proven to be very difficult. The most quantifiable cost of a cyber breach is the cost of forensic cyber experts after the breach has taken place. These outlays have been allocated under ‘direct costs’. Direct costs also includes investigation, notification to those impacted, and potential litigation. The 2016 Ponemon Cost of Data Breach study estimates that direct costs constitute about 34% of the financial impact of a cyber breach. This is obviously not a majority of the cost; however, the direct costs which can range from $10,000 – $100,000 can prove to be far too much for smaller businesses, which lack the capital and expertise to cover the costs for a forensic IT investigation and can prove the undoing of the company.
In the event of a major cyber breach, companies are now legally required to inform customers of the breach and the extent of information that has been lost. Many think-tanks have speculated the cost of notification required by a company. These costs can include creating contact databases, retaining outside experts, postal expenditures, and determining regulatory requirements which according to insurance providers can cost up to $200,000. It is worth restating that direct costs are considered the smallest expenditure according to studies, and already the cost of providing an adequate response to a cyber breach is far beyond the price range of a small company – often the most tempting target to a cyber-criminal.
The second, and much more difficult to define, costs of cyber criminality are indirect costs. These include the losses that do not have an easily identifiable figure attached: including the loss of reputation, loss of customers and the business lost through the time that the company may be unable to trade (say through an extended DDoS or similar).
Although difficult to quantify the loss of costs are keenly felt by businesses. The loss of consumer confidence can prove to be fatal for companies as repeat customers disappear due to a lack of confidence in the company. It is estimated by the Harvard Business Review that 70 to 80 percent of a business’s value comes from hard-to-assess intangible assets such as brand equity, intellectual capital, and goodwill. A hack or security breach directly damages these assets, thus negatively impacting the value of a company. According to SiteLock data, a representative two-thirds of customers who have their information stolen from a website will understandably no longer do business with the company operating the site.
It is apparent that the ability to provide adequate cyber security to protect customer data will only be affordable to larger companies, while smaller more vulnerable companies will be left behind. The direct costs elements also make no mention of the cost of educating employees on the threat presented by social media and the human element – key to minimising the chances of a repeat attempt. More and more companies are falling prey to man in the middle scams and employees must be warned about the threat of posting large amounts of personal information openly on social media. Certainly more could be done to secure the position of companies in the face of the wide variety of cyber-threats, but equally each individual entity must be fully cognisant of the varied costs involved with a breach and understand that a simple financial ‘hit’ is rarely the full story.